[Dailydave] Drinking the Cool-aid
Scharf, Stephen
Stephen.Scharf at experian.com
Fri Mar 21 19:38:16 EDT 2014
Hello Dan.
I would not be so presumptuous to assume I am your favorite CISO, but I will take a stab at your comment anyway. I am also a contributing member to the index, but cannot honestly remember which value I answered for the referenced question.
The truth is we buy security products with all the hopes and dreams they are packaged with and expect value will be derived from their cost. In some cases the cost to implement, and most importantly operate, outweigh the value the product delivers. In those situations it does take some managerial courage to step forward. But if handled correctly, it can be a run-rate cost saving exercise. I myself had previously purchased a product (which will remain unnamed) that cost 4x to implement and 2x to operate and generated 1x in value. After giving every effort to salvage the situation, I made the decision to save 2x by eliminating the 1x value. After all, we are not running security charities, nor do we have unlimited funds to buy and retain every product on the market.
Fair to say that CISOs that make these errors frequently (and own up to them) will not be CISOs much longer. But hopefully the majority of CISOs see that removing solutions for valid reasons is not a career limiting exercise, but failing to do so could be.
-Stephen
Global CISO (of a company my email address gives away)
-----Original Message-----
From: dailydave-bounces at lists.immunityinc.com [mailto:dailydave-bounces at lists.immunityinc.com] On Behalf Of dan at geer.org
Sent: Thursday, March 20, 2014 4:18 PM
To: Alfonso De Gregorio
Cc: dailydave
Subject: Re: [Dailydave] Drinking the Cool-aid
| Networks are often the result of successive technological layers. As | organizations take on new business, face new threats, reconsider | security notions (e.g., insider/outsider), or embrace "new" security | paradigms, more security products get deployed, adding complexity and | increasing the attack surface.
|
| The picture that emerges resembles one big security contraption. It is | hard to tell at what extent it will work as intended.
The question to ask your favorite CISO/CIO/General Counsel is
Have you or would you ever decommision a security product?
With the Index of Cyber Security (which I run with a colleague),
in September, 2012, we asked a form of this question:
What percentage of the security products you are running now
would you still run if you were starting from scratch?
0-20% 5% of respondents
21-40% 15% of respondents
41-60% 20% of respondents
61-80% 27% of respondents
81-100% 34% of respondents
Clearly, there are many who seem to be happy with what they
have, and yet there is a significant number that thinks they
could do better. One in five respondents reported that they
would keep less than 40% of their current security products.
Averaging the results, as many as 1 in 2 products at the higher
end of the range, or 1 in 4 products at the lower end (25.4%
to 45.6%) would be discarded if starting from scratch were to
be an option. The mid-point of these high and low ranges was
35.5%, or roughly 1 in 3, which was interestingly high.
Part of the explanation here is surely that no CISO/CIO/GC wants
to stand up in a Management Committee meeting and say "Our investment
in the PushMePullMe Scanner has proved to be a total loss; we need
$X,000,000 to decommission it and buy the tIPSy-nIPSy system instead."
No, it will be to *add* tIPSy-nIPSy to the environment and leave
the the PushMePullMe Scanner up and running.
--dan
_______________________________________________
Dailydave mailing list
Dailydave at lists.immunityinc.com
https://lists.immunityinc.com/mailman/listinfo/dailydave
More information about the Dailydave
mailing list